{
	"id": "da75e1f2-31c1-480c-8a6a-e959359e4a83",
	"created_at": "2026-04-06T00:21:24.753038Z",
	"updated_at": "2026-04-10T03:23:51.578749Z",
	"deleted_at": null,
	"sha1_hash": "ef2c299062baee9399dd53920e6af279b2154936",
	"title": "Qbot Likes to Move It, Move It",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1300429,
	"plain_text": "Qbot Likes to Move It, Move It\r\nBy editor\r\nPublished: 2022-02-07 · Archived: 2026-04-05 12:35:19 UTC\r\nQbot (aka QakBot, Quakbot, Pinkslipbot ) has been around for a long time having first been observed back in\r\n2007. More info on Qbot can be found at the following links: Microsoft \u0026 Red Canary\r\nIn this case, from October 2021, we will break down how Qbot quickly spread across all workstations in an\r\nenvironment, while stealing browser information and emails. While the case is nearly 5 months old, Qbot\r\ninfections in the past week have followed the same pattern.\r\nCase Summary\r\nWe did not observe the initial access for this case but assess with medium to high confidence that a malicious\r\nemail campaign was used to deliver an Excel (xls) document. Following the opening of the xls document, the\r\ninitial Qbot DLL loader was downloaded and saved to disk. Interestingly, the name of the DLL contained a .html\r\nextension to disguise the portable executable nature of the payload. Once executed, the Qbot process creates a\r\nscheduled task to elevate itself to system.\r\nQbot injected into many processes but one favorite in this intrusion, was Microsoft Remote Assistance (msra.exe).\r\nWithin minutes of landing on the beachhead, a series of discovery commands were executed using Microsoft\r\nutilities. Around the same time, LSASS was access by Qbot to collect credentials from memory.\r\nThirty minutes after initial access, Qbot was observed collecting data from the beachhead host including browser\r\ndata and emails from Outlook. At around 50 minutes into the infection, the beachhead host copied a Qbot dll to an\r\nadjacent workstation, which was then executed by remotely creating a service. Minutes later, the beachhead host\r\ndid the same thing to another adjacent workstation and then another, and before we knew it, all workstations in the\r\nenvironment were compromised.\r\nQbot followed it’s normal process on each machine. Servers were not accessed in this intrusion. After this activity,\r\nnormal beaconing occurred but no further actions on objectives were seen.\r\nServices\r\nWe offer multiple services including a Threat Feed service which tracks Command and Control frameworks such\r\nas Qbot, Cobalt Strike, BazarLoader, Covenant, Metasploit, Empire, PoshC2, etc. More information on this\r\nservice and others can be found here.\r\nWe also have artifacts and IOCs available from this case such as memory captures, files, event logs including\r\nSysmon, Kape packages, and more, under our Security Researcher and Organization services.\r\nTimeline\r\nhttps://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\r\nPage 1 of 20\n\nAnalysis and reporting completed by @iiamaleks\r\nReviewed by and @MetallicHack \u0026 @tas_kmanager\r\nMITRE ATT\u0026CK\r\nInitial Access\r\nWe assess with medium to high confidence that the QBot infection was delivered to the system via a malspam\r\ncampaign through a hidden 4.0 Macro’s in Excel.\r\nhttps://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\r\nPage 2 of 20\n\nWe believe this is the xls file that lead to the Qbot infection, due to the overlap in time period, download url, and\r\nfile name.\r\nExecution\r\nThe QBot dll was executed on the system and shortly after, injected into the msra.exe process.\r\nPrivilege Escalation\r\nA scheduled task was created by Qbot to escalate to SYSTEM privileges. This scheduled task was created by the\r\nmsra.exe process, to be run only once, a few minutes after its creation.\r\n\"schtasks.exe\" /Create /RU \"NT AUTHORITY\\SYSTEM\" /tn juqpxmakfk /tr \"regsvr32.exe -s \\\"C:\\Users\\REDAC\r\nDefense Evasion\r\nhttps://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\r\nPage 3 of 20\n\nQBot was observed injecting into msra.exe process on multiple systems.\r\nMultiple folders were added to the Windows Defender Exclusions list in order to prevent the Qbot dll placed\r\ninside of it from being detected. The newly dropped dll was then executed and process injected into msra.exe.\r\nQbot used reg.exe to add Defender folder exceptions for folders within AppData and ProgramData.\r\nC:\\Windows\\system32\\reg.exe ADD \\\"HKLM\\SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Paths\\\" /f /t REG_DW\r\nC:\\Windows\\system32\\reg.exe ADD \\\"HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\\\" /f /t REG_DWORD /v\r\ndll files dropped by Qbot, were deleted after injection into msra.exe.\r\nCredential Access\r\nLSASS was accessed by Qbot, with the intention of accessing credentials. This can be observed through the\r\nSysmon process access event, indicating the GrantedAccess value of 0x1410 .\r\nAdditional evidence of LSASS access was visible in API calls from Qbot injected processes to LSASS.\r\nhttps://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\r\nPage 4 of 20\n\nDiscovery\r\nThe following discovery commands where observed coming from the Qbot processes. These commands where\r\nexecuted on the beachhead system along with other workstations compromised through lateral movement.\r\nwhoami /all\r\narp -a\r\ncmd /c set\r\narp -a\r\nnet view /all\r\nipconfig /all\r\nnet view /all\r\nnslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.REDACTED\r\nroute print\r\nnet share\r\nnet1 localgroup\r\nnet localgroup\r\nnetstat -nao\r\nLateral Movement\r\nhttps://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\r\nPage 5 of 20\n\nQbot moved laterally to all workstations in the environment by copying a dll to the machine and then remotely\r\ncreating a service to execute the Qbot dll. The services created had the DeleteFlag set causing the service to be\r\nremoved upon reboot.\r\nThe following occurred on each workstation:\r\nhttps://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\r\nPage 6 of 20\n\nThe lateral movement activity from the beachhead host was rapid and connections were seen across all\r\nworkstations in the network. A view from the memory of the beachhead host shows the injected msra process\r\nconnecting to hosts across the network.\r\nhttps://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\r\nPage 7 of 20\n\nThe service creations were also observed via event id 7045 across all hosts.\r\nCollection\r\nQbot is widely known to steal emails with the intention of collecting information and performing email thread\r\nhijacking.\r\nEmail data will be collected and stored in 1 of 2 locations.\r\nC:\\Users\\Username\\EmailStorage_ComputerHostname-Username_TimeStamp\r\nC:\\Windows\\system32\\config\\systemprofile\\EmailStorage_ComputerHostname-Username_TimeStamp\r\nOnce exfiltrated from the system this folder is then deleted as seen below\r\ncmd.exe /c rmdir /S /Q \"C:\\Users\\REDACTED\\EmailStorage_REDACTED-REDACTED_REDACTED\"\r\ncmd.exe /c rmdir /S /Q \"C:\\Windows\\system32\\config\\systemprofile\\EmailStorage_REDACTED-REDACTED_REDAC\r\nhttps://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\r\nPage 8 of 20\n\nCollection of browser data from Internet Explorer and Microsoft Edge was also observed with Qbot using the\r\nbuilt-in utility esentutl.exe.\r\nesentutl.exe /r V01 /l\"C:\\Users\\REDACTED\\AppData\\Local\\Microsoft\\Windows\\WebCache\" /s\"C:\\Users\\REDACT\r\nCommand and Control\r\nQbot uses a tiered infrastructure, often using other compromised systems as first tier proxy points for establishing\r\na constantly changing list of C2 endpoints. You can review a in-depth analysis of the modules of this malware in\r\nthis Checkpoint report.\r\nWith this type of setup the list of C2 from October 2021, has in large rotated out of use. To keep up to date on\r\ncurrent Qbot C2 endpoints you can check out our Threat Feed \u0026 All Intel service as we track these changing lists\r\ndaily.\r\nQbot does use SSL in it’s C2 communication but does not rely soley on port 443 for communication, in the case\r\ninvestigated here the following ports were found in the extracted C2 configuration.\r\n Count Port\r\n 88 443\r\n 25 995\r\n 17 2222\r\n 3 2078\r\n 2 465\r\n 2 20\r\n 1 993\r\n 1 61201\r\n 1 50010\r\n 1 32100\r\n 1 21\r\n 1 1194\r\nhttps://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\r\nPage 9 of 20\n\nQbot uses SSL and while the domains do not resolve, they follow a pattern and are detectable with several\r\nSuricata ETPRO signatures.\r\nQbot JA3/S:\r\nJA3: 72a589da586844d7f0818ce684948eea, c35a61411ee5bdf666b4d64b05c29e64\r\nJA3s: 7c02dbae662670040c7af9bd15fb7e2f\r\nImpact\r\nThe final actions of the threat actor were not observed, however, the data exfiltrated from the network could be\r\nused to conduct further attacks or sold to 3rd parties.\r\nIOCs\r\nNetwork\r\n120.150.218.241:995\r\n71.74.12.34:443\r\n24.229.150.54:995\r\n185.250.148.74:443\r\n136.232.34.70:443\r\n82.77.137.101:995\r\n75.188.35.168:443\r\n72.252.201.69:443\r\n109.12.111.14:443\r\n68.204.7.158:443\r\nhttps://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\r\nPage 10 of 20\n\n196.218.227.241:995\r\n27.223.92.142:995\r\n76.25.142.196:443\r\n73.151.236.31:443\r\n185.250.148.74:2222\r\n173.21.10.71:2222\r\n189.210.115.207:443\r\n105.198.236.99:443\r\n47.22.148.6:443\r\n24.55.112.61:443\r\n24.139.72.117:443\r\n45.46.53.140:2222\r\n92.59.35.196:2222\r\n95.77.223.148:443\r\n68.186.192.69:443\r\n89.101.97.139:443\r\n173.25.166.81:443\r\n140.82.49.12:443\r\nFile\r\nocrafh.html.dll\r\n2897721785645ad5b2a8fb524ed650c0\r\nd836fa75f0682b4c393418231aefca97169d551e\r\n956ecb4afa437eafe56f958b34b6a78303ad626baee004715dc6634b7546bf85\r\nqbbwlwjmlmnaggd.dll\r\ne0fafe1b4eb787444ed457dbf05895a4\r\n16b5b1494e211b74e97d9f35ff5a994f70411f2e\r\n9f6e3b0b18f994950b40076d1386b4da4ce0f1f973b129b32b363aac4a678631\r\nhyietnrfrx.uit\r\nb6ed9b2819915c2b57d4c58e37c08ba4\r\ne9ff9b7e144bdad9d8955f4a328f7b6daa2b455e\r\n70a49561f39bb362a2ef79db15e326812912c17d6e6eb38ef40343a95409a19a\r\nznmxbx.evj\r\n2a8cf6154e6a129ffd07a501bbc0b098\r\n304d8e812a8d988e21af8a865d8dd577dc6f3134\r\ne510566244a899d6a427c1648e680a2310c170a5f25aff53b15d8de52ca11767\r\nzsokarzi.xpq\r\n43660d21bfa1431e0ee3426cd12ddf38\r\n5d3b7e0c05e65aa0dfc8b5e48142d782352e36be\r\ncbfc135bff84d63c4a0ccb5102cfa17d8c9bf297079f3b2f1371dafcbefea77c\r\ntuawktso.vbe\r\nad413cd422c1a0355163618683e936a0\r\n5fca07dfc68a13b3707636440d5c416e56149357\r\n1411250eb56c55e274fbcf0741bbd3b5c917167d153779c7d8041ab2627ef95f\r\njtrbde.dll\r\nhttps://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\r\nPage 11 of 20\n\n5dd964c8d9025224eb658f96034babea\r\n6c526a28ed49b2ef83548e20a71610877e69d450\r\n3d913a4ba5c4f7810ec6b418d7a07b6207b60e740dde8aed3e2df9ddf1caab27\r\nrzmulxiilw.dll\r\n000df43b256cdc27bb22870919bb1dfa\r\nf94d5bf14dee6a6e8db957d49c259082dd82350b\r\nca564c6702d5e653ed8421349f4d37795d944793a3dbd1bb3c5dbc5732f1b798\r\nljncxcwmsg.gjf\r\n88834d17d2cdce884a73e38638a4e0dd\r\nb5b264d00a7d6d6b3dd4965dbe2bd00e0823ba6c\r\nc789bb45cacf0de1720e707f9edd73b4ed0edc958b3ce2d8f0ad5d4a7596923a\r\nDetections\r\nNetwork\r\nETPRO TROJAN Observed Qbot Style SSL Certificate\r\nETPRO TROJAN Possible Qbot SSL Cert\r\nET POLICY PE EXE or DLL Windows file download HTTP\r\nSigma\r\ntitle: QBot process creation from scheduled task REGSVR32 (regsvr32.exe), -s flag and SYSTEM in the c\r\nid: 33d9c3f4-57a6-4ddb-a2a0-b2ccf8482607\r\nstatus: test\r\ndescription: Detects the process creation from Scheduled Task with REGSVR32 (regsvr32.exe), -s flag a\r\nauthor: tas_kmanager, TheDFIRReport\r\nreferences:https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\r\ndate: 2022/02/06\r\nmodified: 2022/02/06\r\nlogsource:\r\ncategory: process_creation\r\nproduct: windows\r\ndetection:\r\nselection:\r\nCommandLine|contains|all:\r\n- 'schtasks.exe'\r\n- 'regsvr32.exe -s'\r\n- 'SYSTEM'\r\ncondition: selection\r\nfalsepositives:\r\n- unknown\r\nlevel: high\r\ntags:\r\n- attack.persistence\r\nhttps://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\r\nPage 12 of 20\n\n- attack.privilege_escalation\r\n- attack.t1053.005\r\n- qbot\r\ntitle: QBot scheduled task REGSVR32 and C$ image path\r\nid: 014da553-5727-4e47-9544-56da83b3eb6f\r\ndescription: Detects the creation of Scheduled Task with REGSVR32 (regsvr32.exe) and C$ in the image\r\nstatus: test\r\nauthor: tas_kmanager, TheDFIRReport\r\nreferences:https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\r\ndate: 2022/02/06\r\nmodified: 2022/02/06\r\nlogsource:\r\nproduct: windows\r\nservice: system\r\ndetection:\r\nselection:\r\nProvider_Name: 'Service Control Manager'\r\nEventID: 7045\r\nImagePath|contains|all:\r\n- 'regsvr32.exe'\r\n- 'C$'\r\ncondition: selection\r\nlevel: high\r\nfalsepositives:\r\n- low\r\ntags:\r\n- attack.persistence\r\n- attack.privilege_escalation\r\n- attack.t1053.005\r\n- qbot\r\ntitle: EmailStorage file deletion - QBot\r\nid: 695e7200-c733-44b3-9231-6d3459c668ba\r\nstatus: test\r\ndescription: Detect EmailStorage file deletion after QBot infection\r\nauthor: tas_kmanager, TheDFIRReport\r\nreferences:https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\r\ndate: 2022/02/06\r\nmodified: 2022/02/06\r\nlogsource:\r\ncategory: process_creation\r\nproduct: windows\r\ndetection:\r\nselection:\r\nhttps://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\r\nPage 13 of 20\n\nParentCommandLine|contains:\r\n- '\\EmailStorage_'\r\n- 'rmdir'\r\nImage|endswith: '\\cmd.exe'\r\ncondition: selection\r\nfalsepositives:\r\n- low\r\nlevel: high\r\ntags:\r\n- attack.defense_evasion\r\n- attack.t1070.004\r\n- qbot\r\nWhoami Execution Anomaly\r\nSuspicious Reconnaissance Activity\r\nMimikatz Detection LSASS Access\r\nYara\r\n/*\r\n YARA Rule Set\r\n Author: The DFIR Report\r\n Date: 2022-02-07\r\n Identifier: Case 7685\r\n Reference: https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\r\n*/\r\n/* Rule Set ----------------------------------------------------------------- */\r\nimport \"pe\"\r\nrule tuawktso_7685 {\r\n meta:\r\n description = \"Files - file tuawktso.vbe\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2022-02-01\"\r\n hash1 = \"1411250eb56c55e274fbcf0741bbd3b5c917167d153779c7d8041ab2627ef95f\"\r\n strings:\r\n $s1 = \"* mP_5z\" fullword ascii\r\n $s2 = \"44:HD:\\\\C\" fullword ascii\r\n $s3 = \"zoT.tid\" fullword ascii\r\n $s4 = \"dwmcoM\u003c\" fullword ascii\r\n $s5 = \"1iHBuSER:\" fullword ascii\r\n $s6 = \"78NLog.j\" fullword ascii\r\nhttps://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\r\nPage 14 of 20\n\n$s7 = \"-FtP4p\" fullword ascii\r\n $s8 = \"x\u003cd%[ * \" fullword ascii\r\n $s9 = \"O2f+ \" fullword ascii\r\n $s10 = \"- wir2\" fullword ascii\r\n $s11 = \"+ \\\"z?}xn$\" fullword ascii\r\n $s12 = \"+ $Vigb\" fullword ascii\r\n $s13 = \"# W}7k\" fullword ascii\r\n $s14 = \"# N)M)9\" fullword ascii\r\n $s15 = \"?uE- dO\" fullword ascii\r\n $s16 = \"W_* 32\" fullword ascii\r\n $s17 = \"\u003ev9+ H\" fullword ascii\r\n $s18 = \"tUg$* h\" fullword ascii\r\n $s19 = \"`\\\"*- M\" fullword ascii\r\n $s20 = \"b^D$ -L\" fullword ascii\r\n condition:\r\n uint16(0) == 0xe0ee and filesize \u003c 12000KB and\r\n 8 of them\r\n}\r\nrule wmyvpa_7685 {\r\n meta:\r\n description = \"Files - file wmyvpa.sae\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2022-02-01\"\r\n hash1 = \"3d913a4ba5c4f7810ec6b418d7a07b6207b60e740dde8aed3e2df9ddf1caab27\"\r\n strings:\r\n $s1 = \"spfX.hRN\u003c\" fullword ascii\r\n $s2 = \"wJriR\u003eEOODA[.tIM\" fullword ascii\r\n $s3 = \"5v:\\\\VAL\" fullword ascii\r\n $s4 = \"K6U:\\\"\u0026\" fullword ascii\r\n $s5 = \"%v,.IlZ\\\\\" fullword ascii\r\n $s6 = \"\\\\/kX\u003e%n -\" fullword ascii\r\n $s7 = \"!Dllqj\" fullword ascii\r\n $s8 = \"\u0026ZvM* \" fullword ascii\r\n $s9 = \"AU8]+ \" fullword ascii\r\n $s10 = \"- vt\u003eh\" fullword ascii\r\n $s11 = \"+ u4hRI\" fullword ascii\r\n $s12 = \"ToX- P\" fullword ascii\r\n $s13 = \"S!G+ u\" fullword ascii\r\n $s14 = \"y 9-* \" fullword ascii\r\n $s15 = \"nl}* J\" fullword ascii\r\n $s16 = \"t /Y Fo\" fullword ascii\r\n $s17 = \"O^w- F\" fullword ascii\r\n $s18 = \"N -Vw'\" fullword ascii\r\n $s19 = \"hVHjzI4\" fullword ascii\r\n $s20 = \"ujrejn8\" fullword ascii\r\nhttps://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\r\nPage 15 of 20\n\ncondition:\r\n uint16(0) == 0xd3c2 and filesize \u003c 12000KB and\r\n 8 of them\r\n}\r\nrule ocrafh_html_7685 {\r\n meta:\r\n description = \"Files - file ocrafh.html.dll\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2022-02-01\"\r\n hash1 = \"956ecb4afa437eafe56f958b34b6a78303ad626baee004715dc6634b7546bf85\"\r\n strings:\r\n $s1 = \"Over.dll\" fullword wide\r\n $s2 = \"c:\\\\339\\\\Soon_Back\\\\Hope\\\\Wing\\\\Subject-sentence\\\\Over.pdb\" fullword ascii\r\n $s3 = \"7766333344\" ascii /* hex encoded string 'wf33D' */\r\n $s4 = \"6655557744\" ascii /* hex encoded string 'fUUwD' */\r\n $s5 = \"7733225566\" ascii /* hex encoded string 'w3\"Uf' */\r\n $s6 = \"5577445500\" ascii /* hex encoded string 'UwDU' */\r\n $s7 = \"113333\" ascii /* reversed goodware string '333311' */\r\n $s8 = \"'56666\" fullword ascii /* reversed goodware string '66665'' */\r\n $s9 = \"224444\" ascii /* reversed goodware string '444422' */\r\n $s10 = \"0044--\" fullword ascii /* reversed goodware string '--4400' */\r\n $s11 = \"444455\" ascii /* reversed goodware string '554444' */\r\n $s12 = \"5555//\" fullword ascii /* reversed goodware string '//5555' */\r\n $s13 = \"44....\" fullword ascii /* reversed goodware string '....44' */\r\n $s14 = \",,,2255//5566\" fullword ascii /* hex encoded string '\"UUf' */\r\n $s15 = \"44//446644//\" fullword ascii /* hex encoded string 'DDfD' */\r\n $s16 = \"7755//44----.\" fullword ascii /* hex encoded string 'wUD' */\r\n $s17 = \"?^.4444--,,55\" fullword ascii /* hex encoded string 'DDU' */\r\n $s18 = \"66,,5566////55\" fullword ascii /* hex encoded string 'fUfU' */\r\n $s19 = \"operator co_await\" fullword ascii\r\n $s20 = \"?\\\"55//////77\" fullword ascii /* hex encoded string 'Uw' */\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 2000KB and\r\n ( pe.imphash() == \"fadf54554241c990b4607d042e11e465\" and ( pe.exports(\"Dropleave\") and pe.exports(\"GlassEx\r\n}\r\nrule ljncxcwmsg_7685 {\r\n meta:\r\n description = \"Files - file ljncxcwmsg.gjf\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2022-02-01\"\r\n hash1 = \"c789bb45cacf0de1720e707f9edd73b4ed0edc958b3ce2d8f0ad5d4a7596923a\"\r\n strings:\r\n $s1 = \"x=M:\\\"*\" fullword ascii\r\nhttps://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\r\nPage 16 of 20\n\n$s2 = \"=DdlLxu\" fullword ascii\r\n $s3 = \"#+- 7 \" fullword ascii\r\n $s4 = \"1CTxH* \" fullword ascii\r\n $s5 = \"OF0+ K\" fullword ascii\r\n $s6 = \"\\\\oNvd4Ww\" fullword ascii\r\n $s7 = \"jvKSZ21\" fullword ascii\r\n $s8 = \"o%U%uhuc]\" fullword ascii\r\n $s9 = \"~rCcqlf1 0\" fullword ascii\r\n $s10 = \"kjoYf^=8\" fullword ascii\r\n $s11 = \"jpOMR4}\" fullword ascii\r\n $s12 = \"ZIIUn'u\" fullword ascii\r\n $s13 = \"7uCyy7=H\" fullword ascii\r\n $s14 = \"#c.sel}W\" fullword ascii\r\n $s15 = \")t)uSKv%\u0026}\" fullword ascii\r\n $s16 = \"VGiAP/o(\" fullword ascii\r\n $s17 = \"SwcF~i`\" fullword ascii\r\n $s18 = \"*ITDe5\\\\n\" fullword ascii\r\n $s19 = \"MjKB!X\" fullword ascii\r\n $s20 = \"tjfVUus\" fullword ascii\r\n condition:\r\n uint16(0) == 0xa5a4 and filesize \u003c 2000KB and\r\n 8 of them\r\n}\r\nrule hyietnrfrx_7685 {\r\n meta:\r\n description = \"Files - file hyietnrfrx.uit\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2022-02-01\"\r\n hash1 = \"70a49561f39bb362a2ef79db15e326812912c17d6e6eb38ef40343a95409a19a\"\r\n strings:\r\n $s1 = \"Z)* -^'\" fullword ascii\r\n $s2 = \"%EGMf%mzT\" fullword ascii\r\n $s3 = \"CYR:\\\"n\" fullword ascii\r\n $s4 = \"CbIN$P;\" fullword ascii\r\n $s5 = \"We:\\\\\u003eK\" fullword ascii\r\n $s6 = \"h^nd* \" fullword ascii\r\n $s7 = \"+ GR;q\" fullword ascii\r\n $s8 = \"u%P%r2A\" fullword ascii\r\n $s9 = \"ti+ gj?\" fullword ascii\r\n $s10 = \"glMNdH8\" fullword ascii\r\n $s11 = \"SuiMFrn7\" fullword ascii\r\n $s12 = \"K* B5T\" fullword ascii\r\n $s13 = \"eLpsNt \" fullword ascii\r\n $s14 = \"aQeG% SMF \" fullword ascii\r\n $s15 = \"JdYQ67 \" fullword ascii\r\nhttps://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\r\nPage 17 of 20\n\n$s16 = \"f\u003exYrBDvNF+Q\" fullword ascii\r\n $s17 = \"OESW[\u003eO\" fullword ascii\r\n $s18 = \"9rlPY5__\" fullword ascii\r\n $s19 = \"DMvH{}L\" fullword ascii\r\n $s20 = \".dgQ\u003eH\" fullword ascii\r\n condition:\r\n uint16(0) == 0x4eee and filesize \u003c 2000KB and\r\n 8 of them\r\n}\r\nrule zsokarzi_7685 {\r\n meta:\r\n description = \"Files - file zsokarzi.xpq\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2022-02-01\"\r\n hash1 = \"cbfc135bff84d63c4a0ccb5102cfa17d8c9bf297079f3b2f1371dafcbefea77c\"\r\n strings:\r\n $s1 = \"}poSpY\" fullword ascii\r\n $s2 = \"[cmD\u003eS\" fullword ascii\r\n $s3 = \"# {y|4\" fullword ascii\r\n $s4 = \"IX%k%5u\" fullword ascii\r\n $s5 = \"YKeial7\" fullword ascii\r\n $s6 = \"#%y% !\" fullword ascii\r\n $s7 = \"wOUV591\" fullword ascii\r\n $s8 = \"| VJHt}\u0026Y\" fullword ascii\r\n $s9 = \"BEgs% 5\" fullword ascii\r\n $s10 = \"UKCy\\\\n\" fullword ascii\r\n $s11 = \"w;gOxQ?\" fullword ascii\r\n $s12 = \"'OHSf\\\"/x\" fullword ascii\r\n $s13 = \"=#qVNkOnj\" fullword ascii\r\n $s14 = \"{_OqzbVbN\" fullword ascii\r\n $s15 = \"QEQro\\\\4\" fullword ascii\r\n $s16 = \"ohFq\\\\P\" fullword ascii\r\n $s17 = \"34eYZVnp2\" fullword ascii\r\n $s18 = \"rxuqLDG\" fullword ascii\r\n $s19 = \"kUZI6J#\" fullword ascii\r\n $s20 = \"IEJl1}+\" fullword ascii\r\n condition:\r\n uint16(0) == 0xc1d7 and filesize \u003c 2000KB and\r\n 8 of them\r\n}\r\nrule znmxbx_7685 {\r\n meta:\r\n description = \"Files - file znmxbx.evj\"\r\n author = \"The DFIR Report\"\r\nhttps://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\r\nPage 18 of 20\n\nreference = \"https://thedfirreport.com/\"\r\n date = \"2022-02-01\"\r\n hash1 = \"e510566244a899d6a427c1648e680a2310c170a5f25aff53b15d8de52ca11767\"\r\n strings:\r\n $s1 = \"# /rL,;\" fullword ascii\r\n $s2 = \"* m?#;rE\" fullword ascii\r\n $s3 = \"\u003e\\\\'{6|B{\" fullword ascii /* hex encoded string 'k' */\r\n $s4 = \"36\\\\$'48`\" fullword ascii /* hex encoded string '6H' */\r\n $s5 = \"\u0026#$2\\\\\u00266\u0026[\" fullword ascii /* hex encoded string '\u0026' */\r\n $s6 = \"zduwzpa\" fullword ascii\r\n $s7 = \"CFwH}\u0026.MWi \" fullword ascii\r\n $s8 = \"e72.bCZ\u003c\" fullword ascii\r\n $s9 = \"*c:\\\"HK!\\\\\" fullword ascii\r\n $s10 = \"mBf:\\\"t~\" fullword ascii\r\n $s11 = \"7{R:\\\"O`\" fullword ascii\r\n $s12 = \"7SS.koK#\" fullword ascii\r\n $s13 = \"7lS od:\\\\\" fullword ascii\r\n $s14 = \"kMRWSyi$%D^b\" fullword ascii\r\n $s15 = \"Wkz=c:\\\\\" fullword ascii\r\n $s16 = \"1*l:\\\"L\" fullword ascii\r\n $s17 = \"GF8$d:\\\\T\" fullword ascii\r\n $s18 = \"i$\\\".N8spy\" fullword ascii\r\n $s19 = \"f4LOg@\" fullword ascii\r\n $s20 = \"XiRcwU\" fullword ascii\r\n condition:\r\n uint16(0) == 0x3888 and filesize \u003c 12000KB and\r\n 8 of them\r\n}\r\nMITRE\r\nRundll32 – T1218.011\r\nScheduled Task – T1053.005\r\nDisable or Modify Tools – T1562.001\r\nProcess Injection – T1055\r\nLSASS Memory – T1003.001\r\nNetwork Share Discovery – T1135\r\nLocal Groups – T1069.001\r\nLocal Account – T1087.001\r\nSystem Network Connections Discovery – T1049\r\nSystem Network Configuration Discovery – T1016\r\nInternet Connection Discovery – T1016.001\r\nEmail Collection – T1114\r\nCredentials from Web Browsers – T1555.003\r\nCommonly Used Port – T1043\r\nhttps://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\r\nPage 19 of 20\n\nApplication Layer Protocol – T1071\r\nWeb Protocols – T1071.001\r\nExfiltration Over C2 Channel – T1041\r\nInternal case #7685\r\nSource: https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\r\nhttps://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/"
	],
	"report_names": [
		"qbot-likes-to-move-it-move-it"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434884,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ef2c299062baee9399dd53920e6af279b2154936.pdf",
		"text": "https://archive.orkl.eu/ef2c299062baee9399dd53920e6af279b2154936.txt",
		"img": "https://archive.orkl.eu/ef2c299062baee9399dd53920e6af279b2154936.jpg"
	}
}